none
Unable to remove top level permissions RRS feed

  • Question

  • Hello,

    I am new to Exchange Management Console and basically we have a member of staff who has Full Access permission to everybody's mailbox. There are quiet a number of staff so I thought it would be easier to use a Powershell command to do this for me. This is not working though, it doesnt give any failed prompts so looks like there is no problem with the command but when you check the user, the original user still has full access permission.

    I can remove the user manually from each mailbox which would be quiet time consuming but whenever a new mailbox is created the member of staff is automatically added into the full access permission.

    I have checked the top level permissions and they are not a member of those groups. is there anywhere I am not looking?

    I am grateful for any help as I seem to be just hitting walls!

    Thursday, November 13, 2014 11:08 AM

Answers

  • Hi,

    From your description, I recommend you use the following cmdlet to remove the permission and check the result.

    Get-MailboxDatabase -identity “Mailbox Database name” | Remove-ADPermission -user xxx -AccessRights GenericAll

    Hope this can be helpful to you.

    Best regards,


    Amy Wang
    TechNet Community Support

    Friday, November 14, 2014 8:50 AM
    Moderator
  • Try Amy's suggestion for removing the existing permissions. As for the user being added automatically, I don't think there is any native Exchange function that would automatically grant a particular user permissions to someone else's mailbox. One possbility: execution of a script is scheduled to do this.

    In your situation, I would examine any scripts set to run on the Exchange servers. You can look in Task Scheduler for a start.

    If you have an auditing tool like ManageAlert AD Audit Plus (or the Quest / Power Broker, etc. equivalent), you should be able to see who was added to the group (which you know) and by whom/what (which you do not know).

     

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, November 14, 2014 7:37 PM
  • Open one of your mailboxes in ADSIEdit, and determine what level that account is getting the permissions. To do this, run the following command:

    Get-MailboxDatabase | Get-ADPermission -user "<domain>\<user alias>"

    This will give output like the following:

    Identity                  User                   Deny Inherited Rights
    --------                   ----                    ----    ---------  ------
    EX11\First Storag... domain\Admi... True  True        Send-As
    EX11\First Storag... domain\Admi... True  True        Receive-As
    EX11\First Storag... domain\Admi... True  True        CreateChild, Delet...
    EX11\First Storag... domain\Admi... False True        GenericAll

    This will tell you if the permissions were inherited from the database (which I suspect they are).  If they are inherited from higher, you will need to remove them at a higher level than the database.  If not, remove their permissions at the database level using:

    Get-MailboxDatabase | Remove-ADPermission -user "<domain>\<user alias>"



    Friday, November 14, 2014 9:22 PM

All replies

  • Sorry I should of said, the user needs to have there full access mailbox permission removed from all mailboxes within the company.
    Thursday, November 13, 2014 11:09 AM
  • Hi,

    From your description, I recommend you use the following cmdlet to remove the permission and check the result.

    Get-MailboxDatabase -identity “Mailbox Database name” | Remove-ADPermission -user xxx -AccessRights GenericAll

    Hope this can be helpful to you.

    Best regards,


    Amy Wang
    TechNet Community Support

    Friday, November 14, 2014 8:50 AM
    Moderator
  • Try Amy's suggestion for removing the existing permissions. As for the user being added automatically, I don't think there is any native Exchange function that would automatically grant a particular user permissions to someone else's mailbox. One possbility: execution of a script is scheduled to do this.

    In your situation, I would examine any scripts set to run on the Exchange servers. You can look in Task Scheduler for a start.

    If you have an auditing tool like ManageAlert AD Audit Plus (or the Quest / Power Broker, etc. equivalent), you should be able to see who was added to the group (which you know) and by whom/what (which you do not know).

     

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, November 14, 2014 7:37 PM
  • Open one of your mailboxes in ADSIEdit, and determine what level that account is getting the permissions. To do this, run the following command:

    Get-MailboxDatabase | Get-ADPermission -user "<domain>\<user alias>"

    This will give output like the following:

    Identity                  User                   Deny Inherited Rights
    --------                   ----                    ----    ---------  ------
    EX11\First Storag... domain\Admi... True  True        Send-As
    EX11\First Storag... domain\Admi... True  True        Receive-As
    EX11\First Storag... domain\Admi... True  True        CreateChild, Delet...
    EX11\First Storag... domain\Admi... False True        GenericAll

    This will tell you if the permissions were inherited from the database (which I suspect they are).  If they are inherited from higher, you will need to remove them at a higher level than the database.  If not, remove their permissions at the database level using:

    Get-MailboxDatabase | Remove-ADPermission -user "<domain>\<user alias>"



    Friday, November 14, 2014 9:22 PM